[PATCH] pretty: Fix bug in truncation support for %>, %< and %><

[PATCH] pretty: Fix bug in truncation support for %>, %< and %><

[Ramsay Jones]

Some systems experience failures in t4205-*.sh (tests 18-20, 27)
which all relate to the use of truncation with the %< padding
placeholder. This capability was added in the commit a7f01c6b
("pretty: support truncating in %>, %< and %><", 19-04-2013).

The truncation support was implemented with the assistance of a
new strbuf function (strbuf_utf8_replace). This function contains
the following code:

       strbuf_attach(sb_src, strbuf_detach(&sb_dst, NULL),
                     sb_dst.len, sb_dst.alloc);

Unfortunately, this code is subject to unspecified behaviour. In
particular, the order of evaluation of the argument expressions
(along with the associated side effects) is not specified by the
C standard. Note that the second argument expression is a call to
strbuf_detach() which, as a side effect, sets the 'len' and 'alloc'
fields of the sb_dst argument to zero. Depending on the order of
evaluation of the argument expressions to the strbuf_attach call,
this can lead to assigning an empty string to 'sb_src'.

In order to remove the undesired behaviour, we replace the above
line of code with:

       strbuf_swap(sb_src, &sb_dst);
       strbuf_release(&sb_dst);

which achieves the desired effect without provoking unspecified
behaviour.

Signed-off-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
---
 utf8.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utf8.c b/utf8.c
index b1e1303..0d20e0a 100644
--- a/utf8.c
+++ b/utf8.c
@@ -463,8 +463,8 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
 		w += n;
 	}
 	strbuf_setlen(&sb_dst, dst - sb_dst.buf);
-	strbuf_attach(sb_src, strbuf_detach(&sb_dst, NULL),
-		      sb_dst.len, sb_dst.alloc);
+	strbuf_swap(sb_src, &sb_dst);
+	strbuf_release(&sb_dst);
 }
 
 int is_encoding_utf8(const char *name)
-- 
1.8.2

Re: [PATCH] pretty: Fix bug in truncation support for %>, %< and %><

[Duy Nguyen]

On Sun, Apr 28, 2013 at 2:43 AM, Ramsay Jones
<ramsay@ramsay1.demon.co.uk> wrote:
> The truncation support was implemented with the assistance of a
> new strbuf function (strbuf_utf8_replace). This function contains
> the following code:
>
>        strbuf_attach(sb_src, strbuf_detach(&sb_dst, NULL),
>                      sb_dst.len, sb_dst.alloc);
>
> Unfortunately, this code is subject to unspecified behaviour. In
> particular, the order of evaluation of the argument expressions
> (along with the associated side effects) is not specified by the
> C standard.

Thanks for noticing and fixing it. What compiler did you use by the way?
--
Duy

Re: [PATCH] pretty: Fix bug in truncation support for %>, %< and %><

[Jonathan Nieder]

Hi,

Ramsay Jones wrote:

> Some systems experience failures in t4205-*.sh (tests 18-20, 27)
> which all relate to the use of truncation with the %< padding
> placeholder. This capability was added in the commit a7f01c6b
> ("pretty: support truncating in %>, %< and %><", 19-04-2013).

This is reproducible when running the test suite for 1.8.3-rc0 on some
Debian test machines (ARM, ia64, powerpc) using gcc 4.6:

  https://buildd.debian.org/status/logs.php?pkg=git&ver=1%3A1.8.3~rc0-1

> The truncation support was implemented with the assistance of a
> new strbuf function (strbuf_utf8_replace). This function contains
> the following code:
>
>        strbuf_attach(sb_src, strbuf_detach(&sb_dst, NULL),
>                      sb_dst.len, sb_dst.alloc);
>
> Unfortunately, this code is subject to unspecified behaviour. In
> particular, the order of evaluation of the argument expressions
> (along with the associated side effects) is not specified by the
> C standard. Note that the second argument expression is a call to
> strbuf_detach() which, as a side effect, sets the 'len' and 'alloc'
> fields of the sb_dst argument to zero.

Makes sense.

[...]
> In order to remove the undesired behaviour, we replace the above
> line of code with:
>
>        strbuf_swap(sb_src, &sb_dst);
>        strbuf_release(&sb_dst);
>
> which achieves the desired effect without provoking unspecified
> behaviour.

Nice cleanup.  I haven't tested the patch but it looks obviously
correct and I assume you've tested it, so for what it's worth,

Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>

Re: [PATCH] pretty: Fix bug in truncation support for %>, %< and %><

[Ramsay Jones]

Duy Nguyen wrote:
> On Sun, Apr 28, 2013 at 2:43 AM, Ramsay Jones
> <ramsay@ramsay1.demon.co.uk> wrote:
>> The truncation support was implemented with the assistance of a
>> new strbuf function (strbuf_utf8_replace). This function contains
>> the following code:
>>
>>        strbuf_attach(sb_src, strbuf_detach(&sb_dst, NULL),
>>                      sb_dst.len, sb_dst.alloc);
>>
>> Unfortunately, this code is subject to unspecified behaviour. In
>> particular, the order of evaluation of the argument expressions
>> (along with the associated side effects) is not specified by the
>> C standard.
> 
> Thanks for noticing and fixing it.

I didn't notice it; your test noticed it and nagged me to take a look!
;-)

The verbose output from the test made it clear that, rather than the
expected truncated output, it was returning an empty string. A quick
trip to the debugger clearly showed strbuf_detach() clearing the len
and alloc fields of sb_dst, which was then passed to strbuf_attach().
So, I didn't really do much. :-D

>                                   What compiler did you use by the way?

The compiler was gcc, but that doesn't really matter much.

ATB,
Ramsay Jones